Dell EMC Avamar for VMware

(1)

Dell EMC Avamar for VMware

User Guide

19.4

Dell Inc.

(2)

Notes, cautions, and warnings

NOTE: A NOTE indicates important information that helps you make better use of your product.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

Other trademarks may be trademarks of their respective owners.

(3)

Figures...8

Tables... 9

Preface...10

Chapter 1: Introduction... 14

Avamar for VMware data protection overview... 14

Image backup... 14

Guest backup... 16

Considerations...17

Changed block tracking... 18

Image backup virtual machine quiescing... 19

Image backup and recovery support in Amazon Web Services (AWS)... 19

Chapter 2: Configuration and Setup...21

Best practices... 21

(Optional) Configuring support for multiple vCenters... 22

Installing Avamar Administrator software... 22

Configure vCenter-to-Avamar authentication... 23

Add vCenter authentication certificates to the MCS keystore... 23

Disabling MCS certificate authentication... 24

Creating a dedicated vCenter user account...24

Add a vCenter as an Avamar client in the AUI...26

Register or add a proxy client... 28

Edit vCenter ... 29

Auto-discovery of virtual machines... 29

Domain mapping rules for VM auto-discovery... 30

Creating a rule...30

Deploying proxies... 30

Proxy Deployment Manager... 30

Deploy proxies... 32

Upgrading proxies... 33

Upgrading Avamar proxies... 34

Upgrading older or manually deployed Avamar proxies...34

Maintaining proxies... 37

Reregistering a proxy with an Avamar server...37

Changing the proxy guest operating system admin password...37

Changing the proxy guest operating system root password... 38

Security patch updates for proxies...38

Best practices and troubleshooting for applying security patch updates to proxies...38

Apply security patch updates to a proxy... 39

Additional Avamar server configuration...40

Configuring automatic proxy selection...40

Configuring the MCS to support both guest and image backup... 40

Chapter 3: Administration... 42

Clients and containers...42

Dynamic versus static containers...42

Dynamic container behavior...42

How independent and container protection interact...43

Add a VMware client... 43

Delete a VMware client...44

Enable changed block tracking... 45

Viewing protected virtual machines in Avamar Administrator... 45

Viewing a replicated virtual machine name in Avamar Administrator...46

Monitoring the vCenter connection in Avamar Administrator... 46

Manually synchronize the AUI with vCenter and VM clients... 46

Rename a vCenter client... 47

VMware Image Dataset... 48

Adding guest backup throttling parameters to a dataset in Avamar Administrator... 48

Groups...48

Default Proxy Group... 48

Default Virtual Machine Group...48

Virtual machine and proxy relationships within groups... 48

Changing proxy datastore and group assignments in Avamar Administrator...49

Chapter 4: Backup...50

Limitations...50

Perform an on-demand backup of a virtual machine by using AUI ...51

Set advanced plug-in options in the AUI... 52

Schedule backups using the AUI Policy wizard...53

Creating a dataset...54

Scheduling backups using the Policy wizard... 54

Create a backup policy...55

Enable a scheduled backup for a backup policy... 55

Automatically include virtual machines in a backup policy using dynamic rules...55

Log truncation backups... 60

Scheduled backups with Microsoft SQL log truncation... 60

Scheduled backups with Microsoft Exchange log truncation... 61

Monitor backups...62

Cancel backups...63

Support for vCenter HA failover for inflight backups... 63

Configure a backup to support VMware encryption... 63

VMware encryption support limitations... 64

Configure a backup to support vSAN encryption... 64

Enforcement of backups to Data Domain... 65

Chapter 5: Restore...66

Image and file-level restore guidelines...66

Year 2038... 66

Monitor restores...66

Cancel restores... 67

Instant access...67

(5)

Restore an instance of a VM backup by using the AUI...70

Image backup overview...74

Image-level restore limitations... 75

Restore the full image or selected drives to the original virtual machine...75

Restore the full image or selected drives to a different virtual machine...76

Restore the full image or selected drives to a new virtual machine by using Avamar Administrator... 77

File-level restore... 78

Performance improvements for file-level restore... 79

File-level restore supported configurations... 79

RSA SecurID authentication in the AUI... 81

File level restore troubleshooting and limitations... 82

File-level restore in the AUI... 83

Restore ACL for non-root user configuration... 84

Perform a file-level restore (FLR) operation by using the Data Protection Backup and Recovery File-Level Restore UI...85

Chapter 6: Backup Validation...87

Overview...87

What is validated... 87

VM backup validation groups...87

Performing an on-demand backup validation... 87

Scheduling backup validations... 88

Chapter 7: Protecting the vCenter Management Infrastructure...90

vCenter deployments overview... 90

Best practices for backup and restore... 90

Protecting an embedded PSC... 91

Protecting external deployment models...91

vCenter server appliance(s) with one external PSC where PSC fails...92

vCenter server appliance is lost but the PSC remains...92

vCenter server appliance with multiple PSCs where one PSC is lost, one remains... 93

vCenter server appliance remains but all PSCs fail... 93

vCenter server appliance remains but multiple PSCs fail...93

vCenter server appliance fails... 93

vCenter server restore workflow... 94

Platform Services Controller restore workfow... 95

Command reference...95

Support for vCenter HA failover for inflight backups... 96

Additional considerations...96

Chapter 8: Protecting ESX Hosts... 97

Overview... 97

Limitations... 97

Task List...97

Adding ESX host authentication certificates to the MCS keystore... 98

Creating a dedicated ESX host user account... 99

Adding an ESX host as a vCenter client... 100

Deploying a proxy in a standalone ESX host...101

Deploying a proxy appliance in an ESX host using the vSphere Client... 101

(6)

Manually configuring proxy network settings... 102

Registering and activating the proxy with the Avamar server... 103

Disassociating an ESX host from a vCenter... 103

Chapter 9: Avamar Image Backup and Recovery for VMware Cloud on Amazon Web Services (AWS)... 104

Avamar image backup and recovery for VMware Cloud on AWS...104

Configure the VMware Cloud on AWS web portal console...104

Amazon AWS web portal requirements... 105

vCenter server inventory requirements... 105

Deploy the vProxy OVA on a vCenter server in VMware Cloud on AWS...105

Configure vCenter-to-Avamar authentication for VMware Cloud on AWS...106

Avamar image backup and restore for VMware Cloud on AWS best practices...106

Unsupported Avamar operations... 107

Appendix A: Manually deploying proxies... 108

Overview...108

Downloading the proxy appliance template file...108

Deploying the proxy appliance in vCenter... 108

Deploying a proxy appliance in vCenter using the vSphere Web Client... 109

Registering and activating the proxy with the Avamar server...110

Configuring proxy settings in Avamar Administrator...111

Performing optional proxy performance optimization...111

Appendix B: vSphere Data Ports... 112

Required data ports... 112

Appendix C: Using VMware vRealize Log Insight... 113

About VMware vRealize Log Insight...113

Configuring the Log Central Reporting Service...113

Configuring Log Forwarding Agents ...114

Appendix D: Plug-in Options...115

How to set plug-in options...115

VMware Image plug-in backup options...115

VMware Image plug-in restore options... 117

Appendix E: Troubleshooting... 118

Installation and configuration problems and solutions...118

Problems adding vCenter Server as Avamar client...118

Proxy network settings... 118

Error when registering guest backup or Windows recovery target client...118

Backup problems and solutions...118

Backup does not start... 118

Exclude the proxy from the virtual machine backup if performing the backup with other VMware software ... 119

Backups fail with No Proxy errors...119

Changed block tracking does not take effect...122

Proxies are not assigned to backup jobs...122

(7)

VM snapshot fails backups due to incorrect pre-evaluation of available space...122

Backup and restore of vFlash Read Cache enabled VMs will use NBD transport mode...122

Exchange log truncation unsupported when VMDK is encrypted via vSphere... 123

Indexing VMware image backups requires HotAdd transport mode... 123

Restore problems and solutions... 123

Preexisting snapshots cause restores to fail...123

Restore to new virtual machine not available when physical RDM disks are involved... 124

FLR browse of a granular disk backup without a partition table is not supported... 124

Fault tolerance disabled when restore to new virtual machine is performed... 124

Restore to new virtual machine to Virtual SAN 5.5 will fail ... 124

Powering on an instant access vFlash-VM backup to a host without flash capacity configured fails ...124

Maximum number of NFS mounts with instant access issue... 125

FLR on RHEL 5 requires the standard C++ library...125

FLR of a folder or file name containing certain special characters fails...125

FLR to user profile fails when Admin Approval Mode is enabled... 125

A VM-based FLR fails in the virtual machine interface... 125

Glossary...126

(8)

1 Image backup diagram...14

2 Default proxy virtual machine specifications... 15

3 Example independent and container protection...43

4 Selected VMware Entities drop-down...44

5 Virtual machine and proxy relationships within groups... 49

6 Example nested container structure...51

7 Example nested container structure... 75

8 vCenter server restore workflow...94

9 PSC restore workflow... 95

10 No proxy error... 119

11 No proxy error on activity monitor... 120

12 On-demand VMware Image backup fails...120

13 Event details of failed backup...121

Figures

(9)

1 Revision history...10

2 Typographical conventions... 11

3 Guest backup installation resources... 16

4 Minimum required vCenter user account privileges...24

5 Example chart for gathering proxy information... 34

6 Example chart for gathering proxy information, continued...35

7 Required permissions... 35

8 Rule filters...57

9 Filter operator...57

10 Required permissions... 0

11 Image restore toolbar buttons... 74

12 FLR support partitioning scheme...79

13 File system support for FLR... 79

14 LVM support for FLR...80

15 WIndows Dynamic Disk support for FLR... 80

16 Multi-device support for FLR... 80

17 Minimum required ESX host user account privileges... 99

18 Required vSphere data ports... 112

19 Backup options for Avamar VMware Image plug-in... 115

20 Restore options for Avamar VMware Image plug-in... 117

Tables

(10)

As part of an effort to improve its product lines, Dell EMC periodically releases revisions of its software and hardware.

Therefore, some functions that are described in this document might not be supported by all versions of the software or hardware currently in use. The product release notes provide the most up-to-date information on product features.

Contact a technical support professional when a product does not function correctly or does not function as described in this document.

NOTE: This document was accurate at publication time. To find the latest version of this document, go to Online Support (https://www.dell.com/support).

Purpose

This guide describes various methods and strategies for protecting VMware virtual machines.

Audience

The information in this publication is intended for system administrators who are familiar with:

● Basic Avamar system administration principles, and procedures found in the Avamar Administration Guide

● Other Avamar client software information (primarily installation, and configuration procedures) found in various Avamar client guides

A comprehensive discussion of basic Avamar system administration concepts and principles, such as clients, datasets, schedules, retention policies, and backup policies, is beyond the scope of this publication. The Avamar Administration Guide provides details.

Revision history

The following table presents the revision history of this document.

Table 1. Revision history

Revision Date Description

03 April 2021 Updated the "Unsupported Avamar operations" section.

02 December 2020 Updated the "Image backup and recovery support in Amazon Web Services (AWS)"

section.

01 November 2020 First release of this document for Avamar 19.4.

Preface

(11)

● Avamar for Lotus Domino User Guide

● Avamar for Oracle User Guide

● Avamar for SharePoint VSS User Guide

● Avamar for SQL Server User Guide

● Avamar vSphere Web Client Administration Guide

The following VMware publications provide additional information:

● Introduction to VMware vSphere

● Getting Started with ESX

● vSphere Basic System Administration

● vSphere Resource Management Guide

● vSphere Web Access Administrator's Guide

● ESX and vCenter Server Installation Guide

● ESX Configuration Guide

● VMware Data Recovery Administration Guide

Typographical conventions

Table 2. Typographical conventions

Bold Used for names of interface elements, such as names of windows, dialog boxes, buttons, fields, tab names, key names, and menu paths (what the user specifically selects or clicks) Italic Used for full titles of publications that are referenced in text

Monospace Used for:

● System code

● System output, such as an error message or script

● Pathnames, filenames, prompts, and syntax

● Commands and options Monospace italic Used for variables

Monospace bold Used for user input

[ ] Square brackets enclose optional values

| Vertical bar indicates alternate selections - the bar means "or"

{ } Braces enclose content that the user must specify, such as x or y or z ... Ellipses indicate nonessential information that is omitted from the example

Where to get help

The Avamar support page provides access to licensing information, product documentation, advisories, and downloads, as well as how-to and troubleshooting information. This information may resolve a product issue before contacting Customer Support.

To access the Avamar support page:

1. Go to https://www.dell.com/support.

2. Type a product name in the Enter a Service Tag, Serial Number, Service Request, Model, or Keyword search box.

3. Select the product from the list that appears. When you select a product, the Product Support page loads automatically.

4. (Optional) Add the product to the My Products list by clicking Add to My Saved Products in the upper right corner of the Product Support page.

Documentation

The Avamar product documentation provides a comprehensive set of feature overview, operational task, and technical reference information. To supplement the information in product administration and user guides, review the following documents:

(12)

● Release notes provide an overview of new features and known limitations for a release.

● Technical notes provide technical details about specific product features, including step-by-step tasks, where necessary.

● White papers provide an in-depth technical perspective of a product or products as applied to critical business issues or requirements.

Knowledgebase

The Knowledgebase contains applicable solutions that you can search for either by solution number (for example, KB000xxxxxx) or by keyword.

To search the Knowledgebase:

1. Go to https://www.dell.com/support.

2. Under the Support tab, click Knowledge Base.

3. Type either the solution number or keywords in the search box. Optionally, you can limit the search to specific products by typing a product name in the search box and then selecting the product from the list that appears.

Online communities

Go to Community Network at https://www.dell.com/community for peer contacts, conversations, and content on product support and solutions. Interactively engage online with customers, partners, and certified professionals for all products.

Live chat

To engage Customer Support by using live interactive chat, click Join Live Chat on the Service Center panel of the Avamar support page.

Service requests

For in-depth help from Customer Support, submit a service request by clicking Create Service Requests on the Service Center panel of the Avamar support page.

NOTE: To open a service request, you must have a valid support agreement. Contact a sales representative for details about obtaining a valid support agreement or with questions about an account.

To review an open service request, click the Service Center link on the Service Center panel, and then click View and manage service requests.

Enhancing support

It is recommended to enable ConnectEMC and Email Home on all Avamar systems:

● ConnectEMC automatically generates service requests for high priority events.

● Email Home sends configuration, capacity, and general system information to Customer Support.

Comments and suggestions

Comments and suggestions help to continue to improve the accuracy, organization, and overall quality of the user publications.

Send comments and suggestions about this document to [email protected].

Include the following information:

● Product name and version

● Document name and revision (for example, 01)

● Page numbers

(13)

● Other details to help address documentation issues

(14)

Introduction

Topics:

• Avamar for VMware data protection overview

• Changed block tracking

• Image backup virtual machine quiescing

• Image backup and recovery support in Amazon Web Services (AWS)

Avamar for VMware data protection overview

Avamar offers two basic ways to protect data residing on VMware virtual machines: image backup, and guest backup.

NOTE: The Avamar AUI is only supported in stand-alone Windows and Linux environments only.

Image backup

Image backup uses VMware vStorage API for Data Protection (VADP) to protect virtual machine data.

Image backup is fully integrated with vCenter Server to provide detection of virtual machine clients, and enable efficient centralized management of backup jobs.

Figure 1. Image backup diagram

1

(15)

Proxies

Image backups and restores require deployment of proxy virtual machines within the vCenter.

Proxies run Avamar software inside a Linux virtual machine, and are deployed using an appliance template (.ova) file or the Proxy Deployment Manager.

Once deployed, each proxy provides these capabilities:

● Backup of Microsoft Windows and Linux virtual machines (entire images or specific drives)

● Restore of Microsoft Windows and Linux virtual machines (entire images or specific drives)

● Selective restore of individual folders and files to Microsoft Windows and Linux virtual machines Each proxy can perform eight simultaneous backup or restore operations, in any combination.

Proxies are allowed in any part of the Avamar Administrator account management tree except the vCenter Server domain or subdomains. Additionally, you should not activate proxies into the root domain (/). Otherwise, this action causes problems during system migration.

Although it is possible to restore across datacenters (use a proxy that is deployed in one data center to restore files to a virtual machine in another data center), restores take noticeably longer than if the proxy and the target virtual machine are in the same data center. For best performance, use the Proxy Deployment Manager which recommends the ideal deployment configuration.

Default proxy virtual machine specifications

The following figure outlines the default requirements for the proxy virtual machine.

NOTE: The IP address that is assigned to the network adapter belongs to the guest network.

Figure 2. Default proxy virtual machine specifications

Snapshots

The image backup process requires temporary creation of a virtual machine snapshot.

If the virtual machine is running at the time of backup, this snapshot can impact disk I/O and consume disk space on the datastore in which the virtual machine resides. Snapshot creation and deletion can take a long time if the virtual machine runs a heavy disk I/O workload during backup

Avamar image backup supports the following types of virtual disks:

● Flat (version 1 and 2)

● Raw Device Mapped (RDM) in virtual mode only (version 1 and 2)

● Sparse (version 1 and 2)

Other virtual disk types are not supported.

Supported storage architectures

Image backup fully supports the following storage architectures:

● Fiber channel SAN storage hosting VMFS or RDMS

● iSCSI SAN storage

● NFS

(16)

Image backup system limitations

The following system-wide limitations apply to image backups.

Special characters are not allowed in datacenter, datastore, folder, or virtual machine names

Because of a known limitation in the vCenter software, when special characters are used in the datacenter, datastore, folder, or virtual machine names, the .vmx file is not included in the backup.

This issue is seen when special characters like %, &, *, $, #, @, !, \, /, :, *, ?, ", <, >, |, ;, ',+,=,?,~ are used.

As a long-term solution for this issue, upgrade the VMware software to a version where this issue is resolved. However, until a fix is provided by VMware, rename the datacenter, datastore, folder, or virtual machine names without using these special characters.

Avamar server upgrades require proxy reboots

After you upgrade Avamar server software, you must manually reboot all proxies connected to that server.

Guest backup

Guest backup protects virtual machine data by installing Avamar client software on the virtual machine just as if it were a physical machine, then registering and activating that client with an Avamar server. No special configuration is required.

NOTE: When registering virtual machine clients protected by guest backup, do not register them to a vCenter domain.

Doing so prevents the administrator from locating or managing that virtual machine in Avamar Administrator. Instead register any virtual machine clients protected by guest backup to some other domain or subdomain (for example, / clients).

The following table lists Avamar client guides, which provide detailed instructions for installing Avamar client software in virtual machines.

Table 3. Guest backup installation resources

Client Publication

IBM AIX file systems Avamar Backup Clients User Guide

Linux file systems:

● Debian

● CentOS

● Red Hat

● SUSE

● Ubuntu

Avamar Backup Clients User Guide

UNIX file systems:

● HP-UX

● Solaris

Avamar Backup Clients User Guide

IBM DB2 databases hosted on IBM AIX, Red Hat and SUSE Linux, and Microsoft Windows

Avamar for IBM DB2 User Guide

Lotus Domino databases Avamar for Lotus Domino User Guide

Mac OS X file systems Avamar Backup Clients User Guide

Microsoft Exchange databases Avamar for Exchange VSS User Guide

Microsoft Office SharePoint implementations Avamar for SharePoint VSS User Guide Microsoft SQL Server databases Avamar for SQL Server User Guide Microsoft Windows file systems Avamar Backup Clients User Guide

(17)

Table 3. Guest backup installation resources (continued)

Client Publication

Oracle databases hosted on IBM AIX, Red Hat, and SUSE Linux, Sun Solaris, and Microsoft Windows

Avamar for Oracle User Guide

Considerations

There are various considerations of using either image or guest backup to protect virtual machine data.

General use case guidelines

For virtual machines hosted in a vCenter, image backup enables you to protect multiple virtual machines with the least amount of effort.

On Windows Vista/2008 and later virtual machines, image backups are fully application-consistent and sufficient for most use cases involving Microsoft Exchange, Microsoft Office SharePoint, and Microsoft SQL Server. However, because image backup is limited to functionality offered by the VMware vStorage API for Data Protection (VADP), some deployments might require more advanced functionality than that offered by VADP. In these situations, the additional functionality that is provided by guest backup might offer a better solution.

The following deployments are known to benefit from using guest backup instead of image backup:

● Exchange Database Availability Groups (DAGs)

● SharePoint Server Farms

● SharePoint deployments requiring log truncation

Guest backup is the only way to protect virtual machines that are not hosted in a vCenter (for example, desktops and laptops).

Ease of implementation

Image backup:

● Can leverage vCenter to discover virtual machines, and add them to the Avamar server in batches.

● Requires a moderate amount of initial setup and configuration.

Guest backup:

● Supports any virtual machine running an operating system for which Avamar client software is available.

● Supports applications such as DB2, Exchange, Oracle, and SQL Server databases.

● Easily fits into most existing backup schemes; day-to-day backup procedures do not change.

● Avamar client software must be individually installed, and managed inside each virtual machine.

Efficiency

Image backup:

● Offers moderate deduplication efficiency.

● Does not consume guest virtual machine CPU, RAM, and disk resources during backups.

● Does consume ESX Server CPU, RAM, and disk resources during backups.

Guest backup:

● Offers the highest level of data deduplication efficiency.

● Does consume small amounts of guest virtual machine CPU, RAM, and disk resources during backups.

● Does not consume ESX Server CPU, RAM, and disk resources during backups.

Backup and restore

Image backup:

● Image backups are supported for all machines currently supported by VMware.

(18)

● Backups can comprise an entire virtual machine image (all drives) or selected drives (.vmdk files).

● Individual folder and file restores supported for both Windows and Linux virtual machines.

● Backups are not optimized (temp files, swap files, and so forth, are included).

● Unused file system space is backed up.

● Virtual machines need not have a network connection to Avamar server.

● Virtual machines need not be running for backups to occur.

Guest backup:

● Backups are highly optimized (temp files, swap files, and so forth, are not included).

● Backups are highly customizable (supports full range of include and exclude features).

● Database backups support transaction log truncation, and other advanced features.

● Unused file system space is not backed up.

● Individual folder and file restores are supported for all supported virtual machines (not just Linux and Windows)

● Backup and restore jobs can execute pre- and post-processing scripts.

● Virtual machines must have a network connection to Avamar server.

● Virtual machines must be running for backups to occur.

Required VMware knowledge

Image backup requires moderate VMware knowledge. Integrators should have working knowledge of the vCenter topology in use at that customer site (that is, which ESX Servers host each datastore, and which datastores store each virtual machine’s data), and the ability to log in to vCenter with administrator privileges.

Guest backup and restore requires no advanced scripting or VMware knowledge.

Using both image and guest backup

A virtual machine can be protected by both guest backup and image backup. For example, a daily guest backup might be used to protect selective files, and a less frequent or on-demand full image backup might be used to protect the full machine. This scheme accommodates scenarios with limited backup windows.

To support using both image and guest backup to protect the same virtual machine, you must configure the Avamar MCS to allow duplicate client names.

Changed block tracking

Changed block tracking is a VMware feature that tracks which file system blocks on a virtual machine have changed between backups.

Changed block tracking identifies unused space on a virtual disk during the initial backup of the virtual machine, and also empty space that has not changed since the previous backup. Avamar data deduplication performs a similar function. However, using this feature provides valuable I/O reduction earlier in the backup process. Changed block tracking dramatically improves performance if SAN connectivity is not available.

If changed block tracking is not enabled, each virtual machine file system image must be fully processed for each backup, possibly resulting in unacceptably long backup windows, and excessive back-end storage read/write activity.

Changed block tracking can also reduce the time that is required to restore (“roll back”) a virtual machine to a recent backup image by automatically eliminating unnecessary writes during the restore process.

Changed block tracking is only available with the following types of virtual machines that use the following types of virtual disk formats:

● Virtual machine versions 7 and later

The earlier virtual machine version 4 is commonly used on ESX 3.X hosts and in virtual machines that are deployed from templates that support both ESX 3.x and 4.0 hosts. The version of a virtual machine does not change when the underlying ESX host is upgraded. Many commercial appliances exist in version 4 to allow deployment on ESX 3.x hosts.

vCenter version 4 provides the ability to upgrade version 4 virtual machine hardware from to version 7 virtual machine hardware. This upgrade is irreversible and makes the virtual machine incompatible with earlier versions of VMware software products. vCenter online help provides details.

(19)

● Disks cannot be physical compatibility RDM

● The same disk cannot be mounted by multiple virtual machines

● Virtual machines must be in a configuration that supports snapshots

Enabling changed block tracking does not take effect until any of the following actions occur on the virtual machine: reboot, power on, resume after suspend, or migrate.

Image backup virtual machine quiescing

Image backup does not provide any additional virtual machine quiescing capabilities other than those features that are provided by VMware vStorage API for Data Protection (VADP).

Before performing an image backup, three levels of virtual machine quiescing are possible:

● Crash-consistent quiescing

● File system-consistent quiescing

● Application-consistent quiescing

Crash-consistent quiescing is the least desirable level of quiescing because the virtual disk image being backed up is consistent with what would occur by interrupting power to a physical computer. File system writes might or might not be in progress when power is interrupted. Because of this issue, there is always a chance of some data loss.

File system-consistent quiescing is more desirable because the virtual machine is allowed to complete any file system writes before the disk is backed up. This level of quiescing is only available on Windows virtual machines capable of providing Windows Volume Snapshot Service (VSS) services, and that are running VMware Tools.

Application-consistent quiescing is the most desirable level of quiescing. In addition to the advantages provided by file system- consistent quiescing, applications are notified that a backup has occurred so that they can clear their transaction logs.

Application-consistent quiescing is only available on Windows Vista/2008 and later virtual machines that are running VMware Tools.

Image backup and recovery support in Amazon Web Services (AWS)

Avamar proxy provides image backup and restore support for VMware Cloud on AWS.

You can use Avamar to seamlessly deploy and manage VMware workloads across all VMware on-premises and AWS environments.

Consider the following points:

● VMware vSphere 6.5 or greater is required.

● There is no network connection between the ESXi host and the Avamar proxy on VMware Cloud on AWS. A vCenter is required for communication.

● User privileges are limited on VMware Cloud on AWS.

● Supports virtual machines that reside in a workload service pool.

● Avamar Virtual Edition support for VMware tags with SSO service.

Prerequisites

Review the following item before you begin:

● If you use NSX-T, configure DNS to resolve to the internal IP address of the vCenter server. Click SDDC Management

> Settings > vCenter FQDN and select the private vCenter IP address so that you can directly access the management network over the built-in firewall. Open TCP port 443 for the vCenter server in both the management gateway and the compute gateway. VMware KB article 70846 provides more information.

Limitations

The following features are not supported:

(20)

● Application consistent backup

● File-level restore from an image-level backup if using NSX-V. Note that this is not a limitation if using NSX-T.

● Proxy deployment manager. Proxies must be deployed manually.

● Instant access recovery of an image-level backup

● Emergency restores (image restore directly to an ESXi host, bypassing the vCenter).

● Image-level backups and restores using NBD, NBDSSL, or SAN transport mode. Only HotAdd is supported.

● Advanced policy-based data protection for MS-SQL using Avamar.

● Application-aware image backups for MS-SQL and MS-Exchange.

● Image backup and restore when the data center is under a folder.

● Data exclusion

● Proxy appliance that is configured with dual-stack or IPv6-only.

● Restore to new vApp.

● IPV6

Workarounds

● If you use NSX-T and perform an image restore with Select Post Restore Options set to Power on VM with NICs enabled, the VM network adapter may not connect. To work around this limitation without restarting the VM:

1. Right-click the VM and select Edit Settings > Network adapter.

2. Change the network to VM Network.

3. Click Apply.

4. Click Edit Settings > Network adapter.

5. Change the network to NSX-T Network.

6. Click Connect.

(21)

Configuration and Setup

Topics:

• Best practices

• (Optional) Configuring support for multiple vCenters

• Installing Avamar Administrator software

• Configure vCenter-to-Avamar authentication

• Creating a dedicated vCenter user account

• Add a vCenter as an Avamar client in the AUI

• Register or add a proxy client

• Edit vCenter

• Auto-discovery of virtual machines

• Deploying proxies

• Upgrading proxies

• Maintaining proxies

• Security patch updates for proxies

• Additional Avamar server configuration

Best practices

Follow these best practices when configuring your system.

Verify ESX and vCenter certificates

Use properly registered certificates from a trusted provider that match DNS names for ESX and vCenter.

Use fully qualified ESX Server hostnames

When adding new ESX Servers to vCenter environments, you should adhere to the VMware recommended practice of naming ESX Servers with fully qualified hostnames (not an IP address or simple hostname). Using anything other than a fully qualified hostname can result in network connection failures due to incorrect SSL certificate handling.

Recommendations for high change-rate clients

When protecting high change rate clients, such as database hosts, use guest backup, or store image backups on a Data Domain system.

Use indirect root login for proxies

Direct root login for proxies is no longer available. Instead, when a procedure requires root access, log in as the admin user, and then change to the root user by typing su -. This behavior corresponds to the existing root login configuration for the Avamar server.

2

(22)

Network settings

If you do not restore network settings after a restore operation, ensure that you manually configure network settings after the operation completes.

(Optional) Configuring support for multiple vCenters

Avamar servers support protecting up to 15 vCenters with no additional configuration required. However, if you will be

protecting more than 15 vCenters, or if your Avamar server was upgraded from the previous version, some manual configuration is required.

Steps

1. Open a command shell and log in by using one of the following methods:

● For a single-node server, log in to the server as admin.

● For a multi-node server, log in to the utility node as admin.

2. Stop the MCS by typing the following command:

dpnctl stop mcs

3. Open /usr/local/avamar/var/mc/server_data/prefs/mcserver.xml in a UNIX text editor.

4. Ensure that the max_number_of_vcenters setting is equal to or greater than the number of vCenters you intend to protect:

a. Find the max_number_of_vcenters entry key.

b. Change the max_number_of_vcenters setting to num, where num is an integer equal to or greater than the number of vCenters you intend to protect.

For example, this setting allows as many as 15 vCenters to be protected by this Avamar server:

<entry key="max_number_of_vcenters" value="15" />

5. If protecting 50 or more vCenters, also change the maxJavaHeap setting to -Xmx2G:

a. Find the maxJavaHeap entry key.

b. Change the maxJavaHeap setting to -Xmx2G:

<entry key="maxJavaHeap" value="-Xmx2G" />

By default, the maxJavaHeap parameter is 2G. Use the following command to change the parameter:

entry key="maxJavaHeap" value="-Xmx3G" merge="keep"

6. Close mcserver.xml and save the changes.

7. Start the MCS and the scheduler by typing the following command:

dpnctl start mcs dpnctl start sched

Installing Avamar Administrator software

Install Avamar Administrator software on your Windows computer.

Steps

1. Open a web browser and type the following URL:

https://Avamar_server/dtlt/home.html

where Avamar_server is the DNS name or IP address of the Avamar server.

The Avamar Web Restore page appears.

2. Click Downloads.

3. Navigate to the folder containing 32-bit Windows software installation packages.

4. Locate the Java Runtime Environment (JRE) install package (it is typically the last entry in the folder).

(23)

5. If the JRE on the client computer is older than the JRE hosted on the Avamar server, download and install the newer JRE:

a. Click the jre-version-windows-i586-p link.

b. Open the installation file, or download the file, and then open it from the saved location.

c. Follow the onscreen instructions to complete the JRE installation.

6. Click the AvamarConsoleMultiple-windows-x86-version.exe link.

7. Open the installation file, or download the file, and then open it from the saved location.

8. Follow the onscreen instructions to complete the Avamar Administrator software installation.

Configure vCenter-to-Avamar authentication

Configure vCenter-to-Avamar authentication for each vCenter you intend to protect.

About this task

The most secure method for configuring vCenter-to-Avamar authentication is to add vCenter authentication certificates to the Avamar MCS keystore. You must do this for each vCenter you intend to protect .

If you do not want to add vCenter authentication certificates to the Avamar MCS keystore, you must disable certificate authentication for all vCenter-to-Avamar MCS communications.

Add vCenter authentication certificates to the MCS keystore

Configure vCenter-to-Avamar authentication by adding a vCenter authentication certificate to the MCS keystore. Perform this action for each vCenter that you intend to protect.

Prerequisites

NOTE: Importing the same certificate with a different alias name is not permitted.

Steps

1. Log in to the Avamar AUI with Administrator privileges. Open a web browser and type the following URL:

https://Avamar_server/aui

Where Avamar_server is the DNS name or IP address of the Avamar server.

NOTE: If your environment does not meet HTTPS certificate validation requirements, the certificate validation fails and an error message appears asking if you want to continue to download packages. Ignoring certificate validation might cause security issues.

a. In the Avamar Username field, type a username with administrative privileges.

b. In the Avamar Password field, type the password for the administrative user.

c. Select Avamar as the Auth Type.

d. Click Log In.

2. In the AUI navigation pane on the left, click , and then click Administration > System.

The System window appears.

3. Select the Certificate tab, and then click +IMPORT CERTIFICATE under the Trust Certificate tab.

The Import Certificate dialog box appears.

NOTE: If the vCenter certificate and the Avamar web server certificate are issued by the same CA, you need not import the trusted certificates again for vCenter connection. To check Avamar web server certificate, check the Raw field in the private entry details of the Private Key tab.

4. Import the vCenter trust certificate by specifying the following information:

a. In the Base Information window, perform the following steps:

i. Specify the alias name for the vCenter certificate.

ii. Click the BROWSE button to browse and import the vCenter certificate.

iii. Click NEXT.

(24)

b. (Optional) On the Validation window, specify the IP address of the vCenter, the Port number as 443, and then click VALIDATE.

The Validation Result pop-up window is displayed, where you can view if the validation is successful or failed. If the validation fails, verify the inputs again.

If you skip validation and proceed with importing the certificate, the IP and Port fields are disabled.

NOTE: Although validation is optional, for vCenter authentication certificates, it is recommended that you perform this step to ensure that there is successful communication between Avamar and the vCenter server. The validation only works with the vCenter that has a self-signed certificate or a certificate that is issued by 1-level CA. Skip the validation if your vCenter has a certificate issued by multi-level CA.

5. Click FINISH.

The successfully imported vCenter certificates are displayed under the Trust Certificate tab. You can view and delete the vCenter certificates by clicking the View and Delete icons, respectively.

NOTE: To import the parent vCenter trusted certificate, open a web browser and go to https://vCenter IP, then right-click Download Root CA certificate in the bottom-right corner of the window and select Save As... to extract the file. It is not necessary to restart the MCS after the vCenter certificate is imported to the MCS keystore.

Disabling MCS certificate authentication

If you do not want to add vCenter authentication certificates to the Avamar MCS keystore, you must disable certificate authentication for all vCenter-to-Avamar MCS communications.

Steps

1. Open a command shell and log in by using one of the following methods:

● For a single-node server, log in to the server as admin.

● For a multi-node server, log in to the utility node as admin.

2. Stop the MCS by typing the following command:

dpnctl stop mcs

3. Open /usr/local/avamar/var/mc/server_data/prefs/mcserver.xml in a UNIX text editor.

4. Find the ignore_vc_cert entry key.

5. Change the ignore_vc_cert setting to true.

<entry key="ignore_vc_cert" value="true" />

6. Close mcserver.xml and save the changes.

7. Start the MCS and the scheduler by typing the following command:

dpnctl start mcs dpnctl start sched

Creating a dedicated vCenter user account

We strongly recommend that you set up a separate user account on each vCenter that is strictly dedicated for use with Avamar.

About this task

Using a separate vCenter user account ensures maximum clarity if it becomes necessary to examine vCenter logs. Use of a generic user account such as “Administrator” might hamper future troubleshooting efforts because it might not be clear which actions are actually interfacing or communicating with the Avamar server.

NOTE: The user account must be added to the top (root) level in each vCenter that you intend to protect. If you create the user account at any other level (for example, at a datacenter level), backups fail.

Table 4. Minimum required vCenter user account privileges

Privilege type Required privileges

Alarms ● Create alarm

(25)

Table 4. Minimum required vCenter user account privileges (continued)

● Edit alarm

Datastore ● Allocate space

● Browse datastore

● Configure datastore

● Low levefile operations

● Move datastore

● Remove datastore

● Delete File

● Rename datastore

Extension ● Register extension

● Unregister extension

● Update extension

Folder ● Create folder

Global ● Cancel task

● Disable methods

● Enable methods

● Licenses

● Log event

● Manage custom attributes

● Set custom attribute

● Settings

Host ● Configuration > Storage partition configuration

Network ● Assign network

● Configure

Resource ● Assign virtual machine to resource pool

Sessions ● Validate session

Tasks ● Create task

● Update task Virtual Machine-Configuration ● Add existing disk

● Add new disk

● Add or remove device

● Advanced

● Change CPU count

● Change resource

● Configure managed by

● Disk change tracking

● Disk Lease

● Extend virtuadisk

● Host USB device

● Memory

● Modify device settings

● Raw device

● Reload from path

● Remove disk

● Rename

● Reset guest information

● Set annotation

● Settings

● Swapfile placement

(26)

Table 4. Minimum required vCenter user account privileges (continued)

● Upgrade virtual machine Compatibility Virtual Machine-Guest

Operations

● Guest Operation Modifications

● Guest Operation Program Execution

● Guest Operation Queries Virtual Machine-Interaction ● Console interaction

● DeviceConnection

● Guest operating system management by VIX API

● Power off

● Power on

● Reset

● VMware Tools install Virtual Machine-Inventory ● Create from existing

● Create new

● Register

● Remove

● Unregister VirtuaMachine-Provisioning ● Allow disk access

● Allow read-only disk access

● Allow virtual machine download

● Clone virtual machine

● Mark as template Virtual Machine-Snapshot

Management

● Create snapshot

● Remove snapshot

● Revert to snapshot

vApp ● Export

● Import

● vApp application configuration

Add a vCenter as an Avamar client in the AUI

Use the following procedure to add a vCenter as an Avamar client in the AUI.

About this task

NOTE: If the vCenter was already registered as a normal backup client (for example, to support guest level backup), attempting to add that same vCenter as a vCenter client will fail because the system will not allow you to register the same client twice. If this occurs:

1. Retire the existing vCenter client in the AUI.

2. Add the vCenter as a vCenter client by using the procedure below.

3. Re-invite the retired vCenter client as a normal client to support guest level backup from the vCenter server.

Steps

1. In the AUI navigation pane on the left, click , and then click Asset Management.

2. In the domain tree, select a vCenter domain or a sub-domain for the client.

To select a sub-domain client, toggle the Include Sub-domain switch to on.

3. Click next to ADD CLIENT, and then select Add VMware vCenter.

The New vCenter Client wizard appears.

4. In the New Client Name or IP field, type the name of the client and then click NEXT.

(27)

The vCenter Information pane appears.

5. In the vCenter Information pane, compete the following information for the vCenter:

a. In the User Name field, type the user account name of the vCenter server administrator.

b. In the Password field, type the password for the vCenter user account.

c. In the Verify Password field, retype the password for the vCenter user account.

d. In the Port field, type the vCenter web services listener data port number.

443 is the default setting.

e. Click NEXT.

The Advanced pane appears where you can choose to enable the following auto discovery features that include Dynamic VM import by rule or Change Block Tracking.

6. To enable Dynamic VM import by rule, select Enable Dynamic VM import by rule and perform the following steps:

NOTE: When the VMs are auto-discovered, user defined rules are used by the Avamar software to map the auto- discovered VMs to Avamar domains. User-defined rules are also used to automatically assign backup policies to auto- discovered VMs.

● To add a rule:

a. Click ADD RULE.

b. In the Rule field, select a rule from the list.

c. In the Domain filed, type the domain that the auto-discovered VM should be included in.

If the domain entered here does not exist, it is automatically created.

● To create a rule:

Rules are used to automatically map auto-discovered VMs to domains, and to assign backup policies to auto-discovered VMs. Rules use one or more filtering mechanisms to determine whether VMs qualify under the rule.

a. Click CREATE RULE.

b. In the Rule Name field, type a name for the rule.

c. In the Match Type field, select whether the rule should match Any of the listed filter mechanisms, or All of them.

This selection allows you to configure multiple different filters to select VMs, and to determine how these filters interact with one another to select the correct VMs. For example, you might create a filter that uses a VM folder path to select VMs, and another filter that uses a VM naming convention.

This option can then be used as follows to determine which VMs are included under this rule:

○ To include only VMs that are in the defined folder path and also follow the naming convention, select All. This step excludes VMs that are in the folder path but that do not follow the naming convention, and also excludes VMs that follow the naming convention but are not in the folder path.

○ To include any VMs that are either in the VM folder path or that follow the naming convention, select Any.

d. In the Filter field, select the filter type.

For example, to create a filter that uses a VM naming convention, select VM Name, or to create filter that uses a vCenter VM Tag, select VM Tag.

NOTE: The VM Tag selection is only available with vCenter 6.0 and greater.

e. In the Operator field, select the operand.

For example, if VM Name is selected for the filter type and begins with is selected for the operand, then all VMs whose names begin with the filter text is selected.

f. In the Value field, type the filter text.

For example, to create a filter that selects all VMs whose names begin with the text string HR_, select VM Name for the filter type, begins with for the operand, and type HR_ for the filter text.

g. To create additional filters, click the plus sign (+).

This step adds a row to the list of filters. To delete an existing row, click Delete.

h. Click SUMBIT.

Changes made to tags may experience a delay of up to 12 hours before being enforced. For this reason, edit tags with caution, or perform a synchronized vCenter operation, which automatically synchronizes the vCenter with the Avamar server.

(28)

Best practice for rule creation is to ensure that rules are mutually exclusive, to avoid the situation where a VM might qualify under multiple rules.

● To enable Change Block Tracking, select Enable Change Block Tracking.

If changed block tracking is not enabled, each virtual machine image must be fully processed for each backup, which might result in long backup windows, or excessive back-end storage read and write activity.

Enabling changed block tracking does not take effect until any of the following actions occur on the virtual machine:

○ Restart

○ Power on

○ Resume after suspend

○ Migrate 7. Click NEXT.

The Optional Information pane appears.

8. Optional, compete the optional contact information including the contact name, phone number, email, and location, and then click NEXT.

The Summary pane appears.

9. Review the client summary information, and then click ADD.

The Finish pane appears.

NOTE: Add IPV6 vCenter to Avamar using FQDN only. IPV6 address is not supported.

Register or add a proxy client

Image-level backup and restore operations require the use of proxy virtual machine clients.

About this task

Client registration is the process of establishing the identity of the proxy virtual machine clients with the Avamar server. Once Avamar “knows” the client, it assigns a unique client ID (CID), which it passes back to the client during activation.

Once the client is added and registered, you can then add a client to the system in a domain and group. This action provides a high degree of control. For example, you can assign a specific dataset, schedule, and retention policy. However, it can be time consuming to add many clients.

Steps

2. To add a proxy virtual machine client, select the clients domain in the domain tree.

3. Click next to ADD CLIENT, and then select Add VMware Image Proxy.

The New Proxy Client wizard appears.

4. In the New Client Name field, type a unique fully qualified hostname, and then click NEXT.

A proxy can have three different names:

● The name of the host on which the proxy runs.

● The DNS name that is assigned to the proxy host.

● The Avamar client name after the proxy registers and activates with the Avamar server.

NOTE: To avoid confusion and potential problems, use the same fully qualified hostname for this proxy in all three contexts.

The Advanced pane appears.

5. In the Advanced pane, perform the following steps:

a. In the vCenter field, select the vCenter.

b. To enable auto data store mapping of the proxy, select Auto DataStore Mapping.

c. Click the Datastores tab, and then select all vCenter data stores that host machines that you want to protect with this proxy.

(29)

d. Click the Groups tab, and then assign this proxy to one or more groups by clicking the checkbox next to each group.

The Optional Information pane appears.

6. Optional, complete the optional contact information including the contact name, phone number, email, and location, and then click NEXT.

The Summary pane appears.

7. Review the client summary information, and then click ADD.

The Finish pane appears.

Edit vCenter

You can edit existing information for vCenter client.

Steps

2. In the hierarchical Domain tree, select the vCenter domain.

3. To edit the vCenter client information, Click the overflow menu( ), and then select Edit vCenter.

The Edit Client dialog box is displayed.

4. Edit the vCenter information. You can edit the name, contact information, or location information for vCenter.

● In Basic tab, you can edit name, domain, and overtime options available for backup.

● In Contact tab, you can edit the information like contact, phone, email address, and location.

● In VMware tab, following information can be edited:

○ Username - you can edit the user account name of the vCenter server administrator.

○ Password - you can edit the password for the vCenter user account.

○ Confirm Password - retype the password for the vCenter user account.

○ Port - you can edit the vCenter web services listener data port number. 443 is the default setting.

○ You can enable or disable Dynamic VM Import by rule and Change Block Tracking

○ You can ADD RULE from the existing or CREATE RULE for the vCenter client.

5. Click UPDATE.

Auto-discovery of virtual machines

With Avamar release 7.4, you can configure Avamar vCenter clients to auto-discover VMs that have been added to the vCenter.

When the VMs are auto-discovered, user-defined rules are used by the Avamar software to map the auto-discovered VMs to Avamar domains. User-defined rules are also used to automatically assign backup policies to auto-discovered VMs.

In addition to auto-discovering new VMs, vMotion of VMs from one vCenter to another is also automatically detected by the Avamar software. If the new vCenter hosting the VM is configured in Avamar, the VM is automatically moved from the original vCenter client to the new vCenter client using the same user-defined rules to assign its domain and backup policy. If a VM is deleted from vCenter, it is automatically removed from the vCenter client.

The auto-discover feature is supported with vCenter 5.5 and later releases. However, the vCenter must be at release 6.0 or greater to the use of VM Tags in rules. When protecting ESXi hosts instead of vCenter, only VM names and the root folder are supported in rules.

As tag modification is not triggered by an event, if you are modifying tags on virtual machines, sync with vCenter operation immediately to make the tag change to be effective. If you do not want to do this operation, the change is effective in these situations:

1. Restart Management Console Server.

2. Wait for every 12 hours full scan schedule.

3. Update vCenter, such as add or delete rule domain mapping.

NOTE: Avamar does not support auto-discovery for template VMs.

Dell EMC Avamar for VMware